# PhishDestroy threat dossier — centralcreditofacil.online ================================================================ Fetched: 2026-06-30 20:40:36 UTC Canonical: https://phishdestroy.io/domain/centralcreditofacil.online/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 94/100 (PhishDestroy scoring — see methodology below) Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 17/91 security vendors flagged this domain Flagging vendors: Criminal IP, alphaMountain.ai, BitDefender, Certego, Chong Lua Dao, Cluster25, CRDF, CyRadar, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, Kaspersky, Lionic, OpenPhish, SOCRadar, Sophos AlienVault OTX: 1 pulses (threat-intel feed mentions) Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 69.49.241.79 (BR, Vinhedo) ASN: AS31898 Oracle Corporation Hosting org: Oracle Corporation Registrar: DYNADOT LLC Nameservers: ns1.dyna-ns.net, ns2.dyna-ns.net Registered: 2026-06-28 Expires: 2027-06-28 HTTP response: 406 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR2 Expires: 2026-09-26 Status: INVALID chain Fingerprint: 2e7cf367030e64f1054cc9aba978978e2e47ae7c9cc02789b1c28a3727859a07 Subject Alternative Names (related infrastructure — often same operator): - centralcreditodigital.online - centralcreditodigital.online.marcossantos1781381403023.0791640.meusitehostgator.com.br - centralcreditofacil.online.marcossantos1781381403023.0791640.meusitehostgator.com.br - portalfinancasdigital.online - portalfinancasdigital.online.marcossantos1781381403023.0791640.meusitehostgator.com.br - portalfinancasplus.online - portalfinancasplus.online.marcossantos1781381403023.0791640.meusitehostgator.com.br - portalgestaocentral.online - portalgestaocentral.online.marcossantos1781381403023.0791640.meusitehostgator.com.br - portalservicosplus.online - portalservicosplus.online.marcossantos1781381403023.0791640.meusitehostgator.com.br - www.centralcreditodigital.online - www.centralcreditodigital.online.marcossantos1781381403023.0791640.meusitehostgator.com.br - www.centralcreditofacil.online - www.centralcreditofacil.online.marcossantos1781381403023.0791640.meusitehostgator.com.br ... +8 more ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-28 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-30 19:26:41 UTC (by PhishDestroy tracker) Last verified: 2026-06-30 21:00:29 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f1990-2f7a-7659-8218-54959498ca14/ Wayback Machine: https://web.archive.org/web/*/centralcreditofacil.online crt.sh CT logs: https://crt.sh/?q=%25.centralcreditofacil.online Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=centralcreditofacil.online AlienVault OTX: https://otx.alienvault.com/indicator/domain/centralcreditofacil.online URLhaus: https://urlhaus.abuse.ch/host/centralcreditofacil.online/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-30 21:00:29 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, centralcreditofacil.online, is identified as a high-risk credential harvesting phishing site targeting financial and personal data. Analysis indicates the infrastructure is designed to mimic legitimate credit services, luring users into submitting sensitive login credentials, payment details, or personally identifiable information. The threat actors behind this domain employ social engineering tactics, including fraudulent login portals and urgency-driven messaging, to exploit victims. Given the domain's focus on financial deception, affected users may face unauthorized transactions, identity theft, or account takeovers if credentials are compromised. Infrastructure analysis reveals multiple high-confidence indicators supporting this classification. The domain was registered on June 28, 2026, through DYNADOT LLC, a registrar frequently associated with malicious registrations. It currently resolves to the IP address 69.49.241.79 and appears on one security blocklist. Threat intelligence platforms report its presence in one AlienVault OTX pulse, while VirusTotal shows 17 out of 95 security vendors flagging the domain as malicious. These detections include signatures for phishing, fraudulent financial portals, and credential theft, with some engines specifically labeling it as a high-risk financial scam. Users who have visited centralcreditofacil.online or interacted with its content should take immediate remediation steps. First, revoke any credentials entered on the site and enable multi-factor authentication on all associated accounts. Monitor financial statements and credit reports for unauthorized activity, as compromised data may be exploited over an extended period. If payment details were submitted, contact financial institutions to initiate fraud alerts or freeze accounts. Additionally, scan local devices for malware, as phishing sites may distribute secondary payloads. Organizations should block the domain and its resolving IP at the network level to prevent further exposure. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: b8a0bf372c762e966cc99ede8682bc71 TLS cert SHA-256: 2e7cf367030e64f1054cc9aba978978e2e47ae7c9cc02789b1c28a3727859a07 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/centralcreditofacil.online/ JSON API: https://api.destroy.tools/v1/check?domain=centralcreditofacil.online Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 172,909 domains (13,055 alive under monitoring, 159,234 confirmed takedowns/dead). Site: https://phishdestroy.io